[wp-trac] [WordPress Trac] #8152: WordPress should force all URL
query string requests to be 255 characters or less
WordPress Trac
wp-trac at lists.automattic.com
Tue Nov 11 11:45:59 GMT 2008
#8152: WordPress should force all URL query string requests to be 255 characters
or less
----------------------+-----------------------------------------------------
Reporter: _ck_ | Owner: anonymous
Type: defect | Status: new
Priority: normal | Milestone: 2.7
Component: Security | Version: 2.6.1
Severity: normal | Keywords:
----------------------+-----------------------------------------------------
In the core at startup, WordPress should force all $_GET variables over
255 characters to be either truncated or removed entirely for security.
Optionally the entire query string should be checked for a length over 255
characters and force WP to die if so.
Apache unfortunately allows URL query strings to be up to 8192 characters
long, which is happily passed to PHP and WordPress. This helps XSS and
other URL query based attacks to get through. I've yet to see such an
attack under 255 characters so let's make it much harder for them.
It is extremely unlikely any legitimate request via $_GET would be that
long and instead a plugin author would use $_POST. Of course there are
attacks that use $_POST too but let's plug the holes that we can.
RFC 2068 states that queries over 255 characters aren't necessarily
tolerated, let's go for the lower bound.
--
Ticket URL: <http://trac.wordpress.org/ticket/8152>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list